Here are the background notes and further reading for my presentation at the Saasu Cloud Conference on 11 May 2012, “Security and the Cloud: Hype versus Reality”.
This presentation was a quick run-through of what I think have been the most important themes from the past 12 to 18 months.
About two-thirds of what I write touches upon information security, cybercrime, cyberwar, or privacy and transparency issues.
If you’d like the full firehose of information, please stay in touch via my list of written articles, the compilation of my media work in my Weekly Wrap posts and — if you don’t mind seeing my less-presentable public face as well as my serious work — my high-volume Twitter feed.
If you have any questions or comments, do please add them below. I’ll generally respond within 48 hours.
Things are very scary…
2011 was billed as the year of the hacker, and the year of the hacktivist. And yes, it was bad.
Hackers working under the Anonymous brand compromised Sony’s PlayStation network, costing the company $170 million.
Anonymous also hacked Stratfor, a US private intelligence analysis firm, stealing their 10-year archive of confidential emails and apparently handing them to WikiLeaks.
Anonymous splinter group LulzSec hacked into Rupert Murdoch’s News International, including UK newspaper The Sun — although it seems that most of LulzSec has since been arrested when their leader was turned and became an FBI informant.
Random hackers even defaced a Tasmanian government website. How very dare they.
Mid-year, McAfee told us about Operation Shady RAT, a five-year program by an unnamed nation state that had infiltrated dozens of organisations around the world. Most of them didn’t even know they were hacked.
We heard how the Stuxnet worm attacked Iran’s nuclear program — although the attack itself took place the previous year — leading to claims that 2012 would be the year of cyberwar. Atomic explosions illustrated the cover of books like Cyberdeterrence and Cyberwar by Martin C Libicki.
… but we don’t really know
Despite all the hype, we have no reliable figures on the extent of the problem.
Online crime is under-reported and under-researched. Plenty of people have called for mandatory reporting of cybercrime, including the chief technology officer of AVG
and Detective Superintendent Brian Hay of the Queensland Police. Me too.
Major security companies avoid telling us the facts and continually promote dubious statistics.
McAfee’s claims about Shady RAT were mostly hand-waving, quite probably exaggeration.
Sophos reckons this focus on high-profile attacks distracts us from the real threats.
The report on Cyber Storm III, the latest in a series of five-nation cybersecurity exercises, told us nothing.
“The exercise provided insight into key decision making processes within government, business and industry. These insights could not have been achieved without processes being tested in an exercise,” the report reveals. Gaps were identified. Improvements made. Relationships built.
Introducing the hacker
Jasmine Singh Cheema, aka Pherk, aka Zero Cool, is a typical hacker and the most likely threat you’ll face.
Cheema did $1.5 million of damage to his employer’s competitors in 2005 in exchange for a few sneakers and a watch. His story is told in Tracking Cybercrooks: the tools feds use and Hacker’s Delight.
The story of the December 2011 extortion attempt against Sulieman Ravell’s financial advisory business is told in the Manly Daily, and I spoke with him at length in a subsequent Patch Monday podcast.
Israeli researcher Tal Be’ery has monitored Anonymous and LulzSec. He reckons Anonymous hacktivists prefer penetration, but choose targets of opportunity. I spoke with him for the Patch Monday podcast too, Removing the anonymity from Anonymous.
Most cybercriminals are stupid, but there’s a lot of them and the tools are cheap and easy to obtain. Your paper boy might hack your home network because you didn’t tip him.
The Cloud changes none of this…
… except for the complexity and your ability to understand what’s going on.
Most of the recent surveys have shown that when it comes to cloud computing, security is the number one concern. And every time I’ve looked at this in detail, the message from the information security experts has been get a lawyer.
That goes double in government circles.
Legal complexities make it difficult to use public cloud computing, according to Raimund Genes, Trend Micro’s chief technology officer. Unless you’re a criminal, that is.
“Public cloud for me is not really a security challenge. It is a change in the way we operate with data. It doesn’t decrease security. It increases complexity, and that’s a problem,” he told the company’s Canberra Cloud Security Conference.
“The cloud, from a legal point of view, will keep our internal lawyers and everybody else busy for the next fifty, one hundred years,” he said.
Hybrid clouds will probably be the answer, balancing the low price of public clouds for less critical with the increased ability to monitor private clouds for more critical data.
Mobile devices are changing everything — especially on the Android operating system, which could end up being a simmering security shemozzle.
You don’t know who your Friends of Friends are
The internet connects every computer directly with every other computer. That’s not new.
What is new is that we’re publishing more information than ourselves than ever before. And while we might think we’re sharing that information with our friends, or friends of friends — those terms are highly misleading.
We might think of friends-of-friends as someone we’d let a friend bring to dinner. But research by Sophos shows that half of the time people will automatically friend someone on Facebook, even if they know nothing about them. Friends of those friends could be literally anyone.
We don’t even know who our enemies are either. After all, anyone can call themselves Anonymous.
DSD has some great advice
According to the Defence Signals Directorate, the agency responsible for the protection of Australian government and military networks, four simple strategies can prevent 85% of targeted intrusions.
DSD has published the full list of the top 35 mitigation strategies.
This work won DSD the US Cybersecurity Innovation Award for 2001.
Evgeny (“Eugene”) Aseev, head of the Kaspersky’s China antivirus lab, has his own list of 18 infosec fails that let crims win.
This time we’re all in the front line
John Lawler, chief executive officer of the Australian Crime Commission (ACC) reckons we all need to harden up.
“There will always be exceptions — high-profile cases and particularly unique cases — where prosecution will be attempted,” he said, “where for deterrent purposes you’ll put a head on a stake somewhere, and I’m an advocate of that — not literally — where that becomes important for community confidence.” …
“I think it is absolutely essential for governments, for businesses, for the individual, to have the proper controls in place to prevent, or to harden the environment against, the cyber attack.”
Organisations must have audit controls, for example, particularly for digital information, and robust governance. They must understand security risks in their full complexity, both technical and human factors.
“That message hasn’t, I think, permeated — certainly in business — to the extent and level it needs to,” Lawler said.
And we need to make sure our data is encrypted, especially on portable media.
The problem is, it’s human nature to put security last.
Businesses need to start taking this more seriously. I’ve called for their to be less pep talk, more stick, and I reckon negligent data breaches should become a criminal offence. I’m not alone.
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Australia License.
The non-commercial and share-alike conditions are required to adhere to the licensing of the imagery used. Please contact me if you require an alternative version. As a minimum, attribution should read: “Source: Stilgherrian.” Online versions must link the word Stilgherrian to the website at stilgherrian.com.
[Image credits: Cows by Emmett Tullos III, used under a Creative Commons Attribution license (CC BY); photo of Jasmine Singh Cheemsa supplied by FBI via PCWorld Communications Inc; Clouds by Jerry Pierce (Flickr/Uncle Jerry) CC BY-NC-SA; Social graph image by Jim Bumgardner (Flickr/krazydad) CC BY-NC-SA; “Loose Tweets Sink Fleets” by Brian Lane Winfield Moore CC BY-NC-SA; “This time we are all in the front line” by Phil Bradley CC BY-NC-SA.]